Data breach
Definitions Australia A data breach means Federal Information Security Management Act of 2002 Data breach means General A data breach is A data breach A data breach is "an incident that violates the confidentiality of data."Report on Securing and Growing the Digital Economy, at 89. Overview "A data breach can occur under many circumstances and for many reasons. A breach can be inadvertent, such as from the loss of paper documents or a portable electronic device, or deliberate, such as from a successful cyber-based attack by a hacker, criminal, foreign nation, terrorist, or other adversaries. Data breaches have been reported at a wide range of public and private institutions, including federal, state, and local government agencies; educational institutions; hospitals and other medical facilities; financial institutions; information resellers; and other businesses."Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent, at 2-3. "Data breaches can take many forms including * hackers gaining access to data through a malicious attack; * lost, stolen, or temporary misplaced equipment (e.g., laptops, mobile phones, portable thumb drives, etc.); * employee negligence (e.g., leaving a password list in a publicly accessible location, technical staff misconfiguring a security service or device, etc.); and * policy and/or system failure (e.g., a policy that doesn't require multiple overlapping security measures — if backup security measures are absent, failure of a single protective system can leave data vulnerable)."Data Breach Response Checklist, at 2. "Data breaches are caused by computer hacking, malware, payment card fraud, employee insider breach, physical loss of non-electronic records and portable devices, and inadvertent exposure of confidential data on websites or in e-mail. Data breaches are expensive, time consuming, and can damage a company's reputation."Data Security Breach Notification Laws, at 2. "Data breaches involving sensitive personal information may result in identity theft and financial crimes (e.g., credit card fraud, phone or utilities fraud, bank fraud, mortgage fraud, employment-related fraud, government documents or benefits fraud, loan fraud, and health-care fraud). Identity theft involves the misuse of any individually identifying information to commit a violation of federal or state law."Id. Specific instances of data breaches Numerous data breaches and computer intrusions have been disclosed by the nation’s largest data brokers, retailers, educational institutions, government agencies, health care entities, financial institutions, and Internet businesses. The Privacy Rights Clearinghouse chronicles and reports that over 251 million records containing sensitive personal information were involved in security breaches in the United States since January 2005.Privacy Rights Clearinghouse, "A Chronology of Data Breaches" (full-text). From February 2005 to December 2006, 100 million personal records were reportedly lost or exposed.Tom Zeller, "An Ominous Milestone: 100 Million Data Leaks," N.Y. Times, Dec. 18, 2006, at C3. * In February 2005, the data broker ChoicePoint disclosed a security breach, as required by the California Security Breach Notification Act, involving the personal information of 163,000 persons.See U.S. v. Choicepoint. * In 2006 the personal data of 26.5 million veterans was breached when a VA employee’s hard drive was stolen from his home. * In 2007 the retailer TJX Companies revealed that 46.2 million credit and debit cards may have been compromised during the breach of its computer network by unauthorized individuals.U.S. Securities and Exchange Commission, Form 10-K Annual Report: The TJX Cos., Inc. (full-text). See also In re TJX Companies. * In 2008 the Hannaford supermarket chain revealed that approximately 4 million debit and credit card numbers were compromised when Hannaford’s computer systems were illegally accessed while the cards were being authorized for purchase. There were 1,800 reported cases of fraud connected to the computer intrusion.Ross Kerber, "Hannaford Case Exposes Holes In Law, Some Say 'Identity Theft' Criteria Called Too Narrow" (full-text). * In 2009, 130 million records from credit card processor Heartland Payment Systems Inc. of Princeton, N.J., were breached. Also, in 2009, personal information from Health Net on almost half a million Connecticut residents and 1.5 million patients nationally was breached.Former Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and 1.5 million consumers nationwide and promptly notify consumers exposed by the security breach. See Connecticut Attorney General's Office, Press Release: "Attorney General Announces Health Net Settlement Involving Massive Security Breach Compromising Private Medical and Financial Info" (July 6, 2010) (full-text). * In 2011, another breach of patient data occurred when data for 20,000 emergency room patients from Stanford Hospital in California was posted on a commercial website for nearly a year.Kevin Sack, "Patient Data Posted Online in Major Breach of Privacy," N.Y. Times (Sep. 8, 2011) (full-text). * In January 2012, New York State Electric & Gas and Rochester Gas and Electric, subsidiaries of Iberdrola USA, sent notices to customers advising them of unauthorized access to customer data on the companies' customer information systems, which contained Social Security Numbers, dates of birth, and financial institution account numbers.State of New York Public Service Comm'n, PSC Investigates Consumer Data Breach At NYSEG, RG&E (Jan. 23, 2012) (full-text). Data breaches involving sensitive personal information may result in identity theft and financial crimes (e.g., credit card fraud, phone or utilities fraud, bank fraud, mortgage fraud, employment-related fraud, government documents or benefits fraud, loan fraud, and health-care fraud). Responses and remedies These public disclosures have heightened interest in the security of sensitive persosal information"Data Security Legislation Expected to Face Big Challenges," 8 BNA Privacy & Security Law Report, at 51 (Jan. 12, 2009).; security of computer systems; applicability of federal laws to the protection of sensitive personal information; adequacy of enforcement tools available to law enforcement officials and federal regulators; business and regulation of data brokers''See'' Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data, at 56.; liability of retailers, credit card issuers, payment processors, banks, and furnishers of credit reports for costs arising from data breaches; remedies available to individuals whose personal information was accessed without authorizationSee Federal Laws Related to Identity Theft.; prosecution of identity theft crimes related to data breaches; and criminal liability of persons responsible for unauthorized access to computer systems.See Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws. "Data breaches are illegal under the Computer Fraud and Abuse Act."Cybersecurity: Selected Issues for the 115th Congress, at 3. References Source * Data Security Breach Notification Laws, at 2. See also * Data breach analysis * Data breach notification * Data Breach Notification-A Guide to Handling Personal Information Security Breaches * Data breach notification laws * HITECH Act * Identity theft * In re TJX Companies * Organizational data breach External resources * EDUCAUSE, Library—Data Breach resources (full-text). * Ponemon Institute, "2013 Cost of Data Breach Study: Global Analysis" (May 2013) (full-text). This study was commissioned by Symantec, a computer security software firm. Category:Privacy Category:Security Category:Computer crime Category:Australia